fix(bootstrap): use iptables-nft backend for flannel on Podman

[maxamillion]

Summary

On modern distributions (Fedora 43+, RHEL 10+) that ship only nf_tables without legacy iptable_nat/iptable_filter kernel modules, the openshell gateway fails to start because flannel's masquerade rules crash with:

iptables v1.8.11 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
flannel exited: failed to setup masq rules

Root Cause

The cluster container's /usr/sbin/iptables → /etc/alternatives/iptables → iptables-legacy, which requires the iptable_nat kernel module. While kube-proxy was already correctly set to --proxy-mode=nftables for Podman, flannel's embedded traffic manager still calls /usr/sbin/iptables for masquerade rules, hitting the legacy path.

Fix

Register the k3s-bundled xtables-nft-multi (/usr/bin/aux/xtables-nft-multi) as a higher-priority iptables alternative via update-alternatives in the entrypoint script. This redirects flannel's iptables calls to the nft backend, which uses the nf_tables kernel module (always available on modern distros) instead of the legacy iptable_nat module.

update-alternatives --install \
    /usr/sbin/iptables iptables /usr/bin/aux/xtables-nft-multi 20 \
    --follower /usr/sbin/ip6tables ip6tables /usr/bin/aux/xtables-nft-multi \
    --follower /usr/sbin/iptables-save iptables-save /usr/bin/aux/xtables-nft-multi \
    --follower /usr/sbin/iptables-restore iptables-restore /usr/bin/aux/xtables-nft-multi \
    --follower /usr/sbin/ip6tables-save ip6tables-save /usr/bin/aux/xtables-nft-multi \
    --follower /usr/sbin/ip6tables-restore ip6tables-restore /usr/bin/aux/xtables-nft-multi

Priority 20 beats the existing iptables-legacy at priority 10, so update-alternatives auto-selects the nft backend. All follower symlinks switch atomically.

This also removes the previous workaround of warning users to manually modprobe iptable_nat.

Related Issue

Fixes gateway startup failure on Fedora 43 (and any nftables-only host) when running via Podman from the COPR package.

Changes

• deploy/docker/cluster-entrypoint.sh: For Podman runtime, register xtables-nft-multi as a higher-priority iptables alternative before starting K3s. Remove the iptable_nat kernel module warning check.

Testing

Validated end-to-end on an ephemeral Fedora 43 Linode instance:

Condition	Status
SELinux	Enforcing ✅
firewalld	Active ✅
Legacy iptables modules on host	None loaded ✅
iptables --version inside container	v1.8.11 (nf_tables) ✅
Flannel subnet.env	Populated correctly ✅
Container restarts	0 ✅
All K8s pods (coredns, metrics, local-path, agent-sandbox-controller)	Running ✅
Node status	Ready ✅

Checklist

• Change is scoped to the issue (flannel iptables backend selection)
• Existing Docker behavior is preserved (nft switch only applies when CONTAINER_RUNTIME=podman)
• Backward compatible (hosts with legacy iptables modules still work — nft is a superset)
• Validated on target platform (Fedora 43, nftables-only)
• No secrets or credentials committed

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7b07de48-8e11-4d15-9d34-3a809d12eff9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}